Cyber Incident Victim: Avention
Date:
Mar 2016
Location:
United States of America
Summary
Avention experienced two security incidents involving unauthorized access to employee data. The first breach involved compromised login credentials to a human resources vendor's system, leading to the theft of I-9 forms containing names, addresses, Social Security numbers, and government identification details. Separately, an employee fell victim to a phishing attack that resulted in the exposure of W-2 statements with similar personal and financial information. Both incidents were discovered only after employees reported issues with fraudulent tax filings. The company initiated an internal investigation, engaged a cybersecurity firm, notified law enforcement, and alerted affected current and former employees. Credit monitoring services were offered to impacted individuals. The breaches exclusively compromised employee data without affecting customer information or commercial services.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early 2016, Avention (formerly OneSource Solutions) experienced two separate data breaches involving employee information. The first signs of compromise emerged on April 19, when employees reported their tax returns had been rejected due to fraudulent filings. This prompted an internal investigation, system scans, and vendor outreach. On April 28, Avention discovered that an unauthorized actor had used an employee's credentials to access their HR information system (HRIS) vendor's platform on March 31, downloading all employees' I-9 forms. These forms contained names, addresses, Social Security numbers, and potentially passport numbers, driver's license details, birth certificates, or other government ID information. The HRIS vendor had not detected the credential misuse until Avention initiated the investigation. Avention confirmed the legitimate credential holder did not perform the download. Separately, on April 29, the company identified a second incident: On April 5, a different employee had fallen victim to a phishing attack, emailing all employees' 2015 W-2 statements—which included names, addresses, Social Security numbers, wage data, and tax withholding details—to an unauthorized recipient. Neither breach was detected until the tax filing issues triggered scrutiny.
Avention responded by engaging external legal counsel, federal law enforcement, and a cybersecurity firm to investigate both incidents. The company notified employees during a town hall meeting on April 29, followed by formal email notifications to current and former staff on May 4. Affected individuals received mailed letters offering three years of credit monitoring, identity theft protection, and insurance for losses. With 201-500 employees globally across North America, Europe, and APAC, the breaches exclusively impacted employee data; customer information and commercial services remained unaffected. Avention initiated a security review to strengthen internal controls while maintaining that protecting affected personnel was their immediate priority. The company declined to disclose the exact number of impacted individuals or confirm whether the same attackers orchestrated both breaches when questioned by media.